Most Americans will likely never
forget where they were in March of 2020 when the world seemingly shut
down. While many used that time to
reflect, enjoyed down time with family or even binge watched streaming
services, health care workers geared up to save the lives of people impacted by
COVID-19. The novelty of this coronavirus posed exceptional
challenges, placed unparalleled strain on the health care industry and exposed
One vulnerability in particular
has, does and will continue to be a significant risk. That threat is cybercrime. It is as relentless as it is lucrative, and
it has taken the health care industry by storm during a time when resources are
low, and distractions are high.
DIGITAL CALM BEFORE THE STORM
In an almost unbelievable twist, some
major cybercrime groups promised a “ceasefire” on cybersecurity attacks of the health
care industry at the beginning of the pandemic.
DoppelPaymer Ransomware stated that they “always try to avoid hospitals…nursing
homes” but if they happened to be responsible for a ransomware attack of a
health care provider during the pandemic, they would provide a decryptor key
free of charge. Likewise, Nefilim Ransomware took the same approach. However, groups like Netwalker Ransomware and
Maze promised not to intentionally target health care facilities, but would not
commit to decryption if a health care entity was inadvertently impacted.
While the alleged truce made by some
of the larger cybercriminal groups may have appeared to be altruistic, the
motivation may have been totally self-serving. During a global crisis, these
groups likely decided that staying below the radar of law enforcement and
military agencies was more about self-preservation than kindness to their
CYBERCRIMINAL LEAVY BREAKS
While hopes were high that a
global pandemic would cause bad actors to have mercy on mankind, data reflects
that cybercrimes escalated during the pandemic.
On October 28, 2020, the Federal Bureau of Investigation (FBI),
Cybersecurity and Infrastructure Security Agency (CISA) and the Department of
Health and Human Services (HHS) issued a joint advisory warning of an
“increased and imminent cybercrime threat to U.S. hospitals and health care
providers.” It further stated that these
bad actors were producing attacks which caused “data theft and disruption of
As the global threat of
cybercriminal activity proliferates within the health care sector, the industry
must find ways to fight back. One way
that the health care industry can stand up against these persistent threats is
more investments in their information security infrastructure, similar to that
of the financial sector. These investments should include stronger password
requirements, endpoint protection, and multi-factor authentication.
Every effort must be made to
determine and mitigate risk to protected health information. There are several proactive measures that
health care entities can take to decrease their risk of inappropriate
disclosures of patient data. Those
measures include, but are not limited to, the following:
in Anti-Virus Protection Software – Anti-virus protection software is a
tool that can help entities detect and neutralize threats. Most entities prefer efficiency. This software will assist by filtering out
malware which often slows down information system processes. It has the added benefit of protecting your
investment and allowing you to avoid the expense of purchasing new operating
systems should your existing system become damaged due to malware.
and Off-Site System Backup – Federal regulations require covered entities
to ensure on-site and off-site backup.
Should an entity become a victim of a ransomware attack or be forced to
pivot to emergency operations, it is necessary to have backup systems that
allow the entity to access and utilize reliable data.
Training – There is no greater defense to cyber threats than a well-trained
workforce. Entities should ensure that
cybersecurity threats are emphasized to workforce members in refresher training
so that employees are able to appropriately identify and report suspicious
of Data – Entities should ensure that they are complying with the Minimum
Necessary Rule for access to their information systems.
The COVID-19 pandemic has produced significant uncertainty
in the health care environment and highlighted the need for renewed emphasis on
protecting patient data. HIPAA covered
entities should use this time to assess whether they are operating in
compliance with the Privacy Rule, Security Rule and Breach
Notification Rule. Likewise, they
should reassess their Risk Analysis to ensure that it is HIPAA-compliant
and take necessary action to avoid unauthorized disclosures.
Samarria Dunson (firstname.lastname@example.org) is attorney/principal of Dunson
Group, LLC, a health care compliance consulting and law firm in Montgomery,
Alabama. She is also Of Counsel with the
law firm of Balch & Bingham, LLP.